Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 22:26

General

  • Target

    b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe

  • Size

    78KB

  • MD5

    c8410b400bb6749891d425553e408d60

  • SHA1

    d0833742443c6353faef910a585288e93bdeec99

  • SHA256

    b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22

  • SHA512

    798164b84064b3c3cca36c89a2cf79dfbecd5e4b66759dbdb3f10bcab4c4021b5d6e2fe78da2033a5938eb7214dbe62ff6e319adba52383cdf9ba35fd65d0c59

  • SSDEEP

    1536:XuHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtRK9/nM1Gy:XuHFon3xSyRxvY3md+dWWZyRK9/nI

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe
    "C:\Users\Admin\AppData\Local\Temp\b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\66psrubg.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9770.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc975F.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2552
    • C:\Users\Admin\AppData\Local\Temp\tmp9608.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9608.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\66psrubg.0.vb

    Filesize

    15KB

    MD5

    85db9c723e861f7a8e83b3621500a633

    SHA1

    26cbaff66fe3ab35eb2883bdca99a65396489414

    SHA256

    2fafa4bde939827db1a5956bffd095295ec9c321dc9cb95131146a3f7bae959f

    SHA512

    e269fe60f4290e90e1ad58818d7bfe4fe7f9418e1a525e41fd0d0c5246b289867acb08a4b827458d4127d2c177d8c06035266626b89c94bb574b364293e60f82

  • C:\Users\Admin\AppData\Local\Temp\66psrubg.cmdline

    Filesize

    266B

    MD5

    cab29f22f94f337f1707f20b28369b02

    SHA1

    c5fe5650c07c76c295267562b6083236a89d36d6

    SHA256

    c3d4d4084aeb8c62e69b77db8f69618c1caf033da5e2144ceccb876fb66acdd7

    SHA512

    a4cabea46727aeaae01d33dbd91dd87973034d1c08297ff6fa1befa87e2a5348eee307a625dd9716783c8fc89eaa4ad8718d8dea84956bcd93a2341f3232529a

  • C:\Users\Admin\AppData\Local\Temp\RES9770.tmp

    Filesize

    1KB

    MD5

    cd91be2740d5bbd06daa4451bf6b5e83

    SHA1

    c4167375cfee30b41c3b02b7be3240f7cd4fa343

    SHA256

    1b65c2531c5bdc7d04ff396601195a4ac952723feb281a12b7546c95a576dae3

    SHA512

    086fe04014910087c58769acfb4da8cd89d9cc236ef4096985512aa09dcb24c3862398fa66b286442c202565004eaa5e7b9e16b77bf2babba8423dadcdf81e58

  • C:\Users\Admin\AppData\Local\Temp\tmp9608.tmp.exe

    Filesize

    78KB

    MD5

    a58806a619e9ed7764389430c43e1e9e

    SHA1

    dc21122b3eb192c0eac1bdb4d7fb6a32205f3732

    SHA256

    7c194b89ee27cb6a2edd8a100e7731fc4977fcbe1517e17bbee2299d1ad426ac

    SHA512

    df1f7f6453266b238ae5dd6cad98246ca4eb7d0a148331d5974b767f2bce9e51581dd142acbf0b80af419e85471bb8141d6fc76b0e1a53f3b0331a487795c327

  • C:\Users\Admin\AppData\Local\Temp\vbc975F.tmp

    Filesize

    660B

    MD5

    ef827095057da0304b070414f96230e4

    SHA1

    e372fa409ff8f1f7bc950eff86d590f85bda04d8

    SHA256

    7fb1e7504342090ae690591fb33d58c827b48257597796f79dfddd2cbfddf781

    SHA512

    af3902bf9fcf867b6ec8e80cf5d0a64895b8cee0c54df99cf212a2231a230b89d8736260a62c93a4a5ca48a13bcda5c17a8307c70d8e9e540c3e064ae45ddc6f

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    4f0e8cf79edb6cd381474b21cabfdf4a

    SHA1

    7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

    SHA256

    e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

    SHA512

    2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

  • memory/2372-8-0x0000000074330000-0x00000000748DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2372-18-0x0000000074330000-0x00000000748DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2416-0-0x0000000074331000-0x0000000074332000-memory.dmp

    Filesize

    4KB

  • memory/2416-1-0x0000000074330000-0x00000000748DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2416-2-0x0000000074330000-0x00000000748DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2416-24-0x0000000074330000-0x00000000748DB000-memory.dmp

    Filesize

    5.7MB